Invalid a access token
A auth token was stolen from a user by an unknown party, so i wanna destroy it and generate a new one, does anyone know how i can invalided a auth token?
Answers
-
The usual way you handle this is time. Access tokens should be time limited so that they become useless to a third party within a short-ish window. A pattern of issuing new tokens over the use of the application keeps the session live.
By default, Xano auth tokens last 24 hours. If that's the case for you, your problem should be ending soon.
If you maybe set the key to an ultra-long or indefinite (e.g. expriation 0) lifetime, the above doesn't help you right now! This is like someone stole your house keys. The solution isn't to invalidate the key - it's to change the locks, which will invalidate everyone else's keys too. One can do that by changing the way you do auth to include some additional criteria (like an additional claim you check for - the stolen key won't have it. or shifting which table you use for the users. This will be disruptive, but the price we pay for security. That's why I ask about checking for the auto-expiration first. We use that so we don't have to change the locks! -
Can you please share your workflow with a Xano snippet how the "pattern of issuing new tokens" works?
Categories
- All Categories
- 53 ? Announcements
- 47 ? Releases
- 37 ? Welcome
- 983 ? Help! I'm a Noob
- 125 ? No-Code Front-Ends
- 633 ? Working with APIs
- 439 ? Transforming data
- 126 ? Connect Xano to ...
- 50 ?? Find an Expert
- 348 ❓Other questions
- 35 ? Security
- 22 ✂️ Snippets
- 19 ? Showcase
- 7 ?️ Xano Chatter
- 62 ? Video Tutorials
- 171 ? Request a feature
- 229 ? Report a Bug
- 19 ? Templates & Extensions
- 7 ? Feedback